Post cover image
Photo by Kajetan Sumila on Unsplash

July 12, 2026

Why move_uploaded_file() Doesn't Validate Anything You Think It Does

$_FILES[‘type’] is the HTTP header the attacker sent. finfo can be fooled by polyglots. Why your PHP upload handler is broken.

By Ann R.

19 min read